The first GitHub integration is a composite action that wraps policystrata scan.
It is meant for release gates and pull-request checks: if high-confidence drift is found, the
action exits non-zero and blocks the workflow.
The action installs PolicyStrata from the action checkout by default, so it can be used from a
repository tag before the package is published to PyPI. After the PyPI package is published, callers
can optionally set package to a normal pip install spec such as policystrata==1.0.5.
For CI, run two gates:
policystrata scanfor the policy-drift gate.policystrata doctor --strictfor the implementation-readiness gate.
The action provides the scan gate. Add a CLI doctor step when missing, partial, or invalid wiring should block release.
name: PolicyStrata
on:
pull_request:
push:
branches: [main]
jobs:
scan:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: raintree-technology/policystrata@v1.0.5
with:
config: policystrata.yaml
out: runs/policystrata
- name: Implementation readiness gate
if: always()
run: policystrata doctor --config policystrata.yaml --strict - uses: raintree-technology/policystrata@v1.0.5
with:
config: policystrata.yaml
out: runs/policystrata
- uses: actions/upload-artifact@v4
if: always()
with:
name: policystrata-scan
path: runs/policystrataWhen your CI test reporter expects JUnit XML, run the scanner CLI directly:
- name: PolicyStrata scan with JUnit
run: |
policystrata scan \
--config policystrata.yaml \
--out runs/policystrata \
--junit test-results/policystrata.xml
- uses: actions/upload-artifact@v4
if: always()
with:
name: policystrata-junit
path: test-results/policystrata.xmlFor CI systems that want a single redacted JSON handoff without Clearance, export the run after the scan or deterministic suite finishes:
- name: Export generic PolicyStrata evidence
if: always()
run: |
policystrata export runs/policystrata \
--format policystrata-json \
--out runs/policystrata/evidence.json
- uses: actions/upload-artifact@v4
if: always()
with:
name: policystrata-evidence
path: runs/policystrata/evidence.jsonThis stays local to the workflow. The generic JSON export is an OSS artifact format; it does not call hosted Clearance APIs and does not require hosted auth.
For repositories that use the optional Clearance runner contract, generate local metadata-only
artifacts and upload only the runner payload. The upload step requires a runner token and returns
exit code 4 on upload/auth failure.
- name: PolicyStrata run
run: |
uv run policystrata run \
--domain support_saas \
--suite seeded \
--out runs/policystrata \
--clearance-config clearance.runner.yaml \
--commit-sha "$GITHUB_SHA" \
--environment ci
- name: Validate Clearance runner config
run: uv run policystrata clearance-runner validate --config clearance.runner.yaml
- name: Write Clearance evidence pack
run: |
uv run policystrata clearance-runner evidence-pack \
--run-dir runs/policystrata \
--config clearance.runner.yaml \
--out runs/policystrata/evidence-pack.json
- name: Upload Clearance metadata
env:
CLEARANCE_RUNNER_TOKEN: ${{ secrets.CLEARANCE_RUNNER_TOKEN }}
run: |
uv run policystrata clearance-runner upload \
--run-dir runs/policystrata \
--config clearance.runner.yamldoctor audits only the selected config. In the copied postgres_dbt example,
policystrata_clean.yaml is a minimal clean scan and will not claim database readiness. Use
policystrata_real_db_clean.yaml for DB/RLS readiness checks, or merge the dbt and database
sections into your application config before enabling doctor --strict as a release gate.
config: scanner config path. Defaults topolicystrata.yaml.out: output directory forscan.json,findings.jsonl,summary.json,report.md, witnesses, and optional SARIF. Defaults toruns/policystrata.python-version: Python version for the action runtime. Defaults to3.12.package: optional pip install spec. Leave empty to install from the action checkout.extra-args: additional trustedpolicystrata scanarguments.
The action is a CI wrapper around the CLI. It is not a GitHub CLI extension, hosted scanner, MCP server, or authorization boundary.
Repository-relative paths in policystrata.yaml resolve in the checked-out caller repository.
For real database checks, configure disposable services or sanitized fixtures in the workflow; do
not point first-pass release gates at mutable production databases.